SilverLining IL

Attendees Guest: Or Kamara Guest Title:  Senior team lead  Company:  Synk Abstract Cloud computing can bring interesting and new attack vectors. In this episode, we talk with Or Kamara, Senior team lead at Synk, about the Capital-one hacking and what can be learned from the event in order to better protect our networks. We will analyze the attack step by step and add mitigating controls that can help in preventing the next attack. Timing: 0:35 Introducing our guest 4:10 introducing the story the capital one hack  5:45 The phases of the Capital One hack 7:50 The first misconfiguration - servers exposed to the internet unintentionally 11:05 the SSRF vulnerability and understanding meta-data service 19:38 Using API keys for browsing S3 and how to mitigate it 26:00 things that Capital One did right and additional insights 28:00 how should developers and IT  30:50 shifting from traditional security to new cloud security mindset 36:00 summary and final words ...

Attendees Guest: Bar Hofesh Guest Title:  Co-Founder Company:  Neurolegion Abstract Application security is among the hardest things to get right. In this episode we are talking with Bar Hofesh from Neurolegion about the world of automated security testing - what are the challenges, what are the different stages of integration and delivery and how to perform each stage correctly. Timing: 0:50 - introducing our guest 2:58 - the need to automate security testing - the challenge of developing faster 7:15 - so what is testing automation - describing the process - the code  integration stage 13:50  - security testing the packing and delivery stage 18:50 - testing live application stage 20:20 - appsec finding strategy - what do when found an alert 22:20 - Static analysis vs. dynamic analysis 24:58 - emerging technologies - RASP, IAST 30:50 - Is there still room for manual penetration testing? 34:05 - summary and last words ...

Attendees Guest: Oz Avenstein Guest Title:  Founder Company:  Avensec Abstract Penetration tests are one of the strongest controls that we use. It is testing the overall resilience of our application and allows us to be more confident in our workloads. But in the cloud era, cloud applications pen testing needs to be coordinated with the providers. In this episode we talk with Oz Avenstein, an application security expert, about the challenges of cloud penetration testing and how to do it correctly. Timing: 0.50 introducing our guest 3.40 How is cloud penetration tests different from regular pen tests? 5.01 elaborating about IaaS/PaaS particular pen test policies  8.45 pen testing SaaS applications  11.05 relaying on 3rd party pen testing 12.02 cloud pen test considerations and phases 17.35 the actual pen testing  21.20 the reporting phase 23.40 incorporating pen test into applications development cycle  34:00 Summary and last words   ...

Attendees Guest: Ori Troyna Guest title: Global head of product security at Payu Company: Payu Abstract Payu, a global fintech gaint acquired Zooz , a small payment startup.  In this episode we talk with Ori Troyna, Global head of product security at Payu about the challenges that such a merger between two very different companies with different engineering methodologies and how they cope with those challenges. Timing: 1.14 Ori introduce himself 11.40 challenges of merging small companies into financial giants. Integrating different technologies stacks into one.   18.33 how to build the organizational structure the consolidate the different companies and technology stacks  21.30 understanding the acquisition considerations of PayU and its effect on security considerations   27.0 solving the consolidation challenges - the people angel. Moving to tribes and clans and providing security goals  34.30 the difference between product security and IT security   36.0 solving the consolidation challenges - the process angel. How to integrate different tribes and clans to create one joint development backlog and mature devops   46.40 solving the consolidation challenges - the technology angel. Building global infrastructure that support multiple projects  53.22 summary and last words ...

Attendees Guest: Tal Arad Guest title: Former CISO Company: CEVA logistics Abstract Consuming SaaS from various vendors can be a challenging task, the first challenge is to distinguish who are the mature providers that you can trust your data with, and the second challenge is auditing them and their services. In this episode we talk with Tal Arad, former CISO of CEVA logistics about the challenges of selecting SaaS providers and how to auditing them wisely. Timing: 0:35 introducing our guest 02:30 Introducing Ceva Logistics and the CISO challenges 5:55 How to get started in as a new CISO  9:20 Challenges with SaaS providers - distinguishing between mature and immature Providers 16:15 tips for selecting SaaS providers 22:30 what happens when something happens and choosing providers carefully 24:50 Tips for managing ongoing relationships with SaaS providers 34:27 Summary and final words ...

Attendees Guest: Oded Hareven Guest title:  Founder & CEO Company:  A-Key-Less Abstract Application Secret management is becoming one of the biggest challenges for application security. With cloud, CI/CD and micro services architecture we discover that we are using a growing number of encryption keys, API keys, SSH keys tokens and connection strings. In this episode we talk with Oded HarEven, Founder at A-Key-Less about the challenges of secret management and the way to build secure secret management solution. Timing 0:00 Intro and introducing our guest 1:40 Application secret management  - defining what secret is, and what is secret management 6.00  Challenges with encryption keys  9:47   How to handle application secret management and encryption keys - requirements and best practices 12.25 Zero trust in key management - what does it mean and how to implement it 20:10 The process of integrating keys with cloud platform 25:35 A-Key-Less state of the market approach 27.35 Summary and conclusions ...